[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Next question...



Tony Li wrote:
> I have to disagree with both.  First, there is no way that
> the site border router OR the host is going to have full 
> information about global routing.  They *might* have some 
> limited policy information and a mechanism to retrieve locators.
> 
> My concern is not so much about loss of control as it is with 
> the administrative burden of implementing the policies.  

Isn't perception of burden really a function of direct vs. indirect
control? 

> Most policies are going to be site-wide, not host specific.  
> Having to distribute this policy and keep it consistent 
> across an enterprise can be done by our standard system 
> administration tools, but the effort involved in doing so is 
> non-trivial and the number of exception hosts is likely to be 
> small, so this just seems like a poor ROI for the site 
> administrator(s).

I agree that most policies are site wide, but ROI depends on how
valuable the exception list is. If you are in the exception list, your
perspective is different than if you are not. As far as triviality, that
depends on the mechansim. If it were something like a static policy on
all host to prefer the prefix order in the RA, it seems pretty trivial
to me.

> 
> Our job, as architects, is not to create an architecture with 
> infinite flexibility.  Rather, it is to reject those options 
> which lead to unnecessary complications down the line.  

And our disagreement really comes down to definition of 'necessary'. 

> Control at the host seems like an infrequently used feature.  

Frequency is not an indication of value. Besides it is done on every
connection today, so that seems pretty frequent to me. 

> Note that policy for a specific host can be implemented at either the 
> site border router (SBR) or at the host, so removing the 
> policy decision from the host isn't actually eliminating 
> architectural flexibility.

I absolutely disagree. Hosts actually make those policy decisions today,
and the system works. The machine I am typing this on has 4 IPv4
addresses, yet it has no trouble opening a connection to CNN.com by
picking from that list of possible sources, and the 8 available IPv4
destination addresses. There seems to be a fear that providing more
choices to the host will magically make the world more complex. 

The only thing that doesn't happen when the host selects the locator is
that the network administrator doesn't get to enforce fine-grained TE
for the return traffic. If this is what we are defining as 'unnecessary
complications', I have to question the necessity of changing the entire
infrastructure so that it will support the arbitrary replacement of
locators without affecting applications. That sounds a lot more complex
to me than simply adding one more policy to the set of things the host
administrators have to do already.

Tony